A relatively new ransomware operation known as Nevada is quickly growing in capabilities, targeting Windows and VMware ESXi systems. On December 10, 2022, Nevada ransomware was promoted on the RAMP darknet forums, inviting Russian and Chinese-speaking cybercriminals to join for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada offers a 90% revenue share. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or communicate with peers. Nevada ransomware features a Rust-based locker, real-time negotiation chat portal, and separate domains in the Tor network for affiliates and victims. Resecurity researchers analyzed the new malware and published a report on their findings. While Nevada ransomware is explicit about excluding English-speaking affiliates, the operators are open to doing business with vetted access brokers from anywhere. Nevada ransomware spares certain system locales from the encryption process, and uses MPR.dll to collect information about network resources, adding shared directories in the encryption queue. The payload uses the Salsa20 algorithm to perform intermittent encryption on files larger than 512KB for quicker encryption. Executables, DLLs, LNKs, SCRs, URLs, and INI files in Windows system folders and the users Program Files are excluded from encryption to avoid rendering the victim host unbootable. Each folder hosts a ransom note that gives victims five days to meet the threat actors demands, else their stolen data would be published on Nevadas data leak website. The Linux/VMware ESXi version of Nevada ransomware uses the same encryption algorithm as the Windows variant. It relies on a constant variable, an approach previously seen in Petya ransomware. The Linux encryptor follows the same intermittent encryption system. Fully encrypting only files smaller than 512KB. Likely due to a bug in the Linux version, Nevada ransomware will skip all files sized between 512KB and 1.25MB. On Linux systems, the public key is stored at the end of the encrypted file in the form of an additional 38 bytes. Resecurity says that similarities shared with Petya ransomware extend to encryption implementation bugs that might make it possible to retrieve the private key too, which would allow recovering the data without paying the ransom. Nevada ransomware is still building its network of affiliates and initial access brokers, looking for skillful hackers. Resecurity observed Nevada ransomware operators buying access to compromised endpoints and engaging a dedicated post-exploitation team to perform the intrusion. The researchers note that this threat seems to continue its growth and should be closely monitored.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 01 Feb 2023 19:27:02 +0000